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Introduction 


There is a reason that none of your favourite work has 
appeared on Tor since early 2016. [15] 

That reason has lead to the discovery of a threat to the 
operation of the World Wide Web. 


Prerequisites : 

• The JavaScript Trap [47] 

• Understanding that Google is not to be trusted [45][46] 

• Nick Szabo: "Trusted Third Parties are Security Hoies" 
[44][48] 


Cloudflare, inc. is an American company which offer 
network service for turing tests its users use against visitors, 
which means that it frustrates attempts by users of its users 
to develop software to interact with their websites. [3] 

This might seem strange at first - why would you need a 
program to access a web resource? 

But there's many things that work on the web like this, 
including RSS, streaming, chat, podcasts, and anti-virus 
definitions[57][58] which are completely broken by a 
CAPTCHA appearing mid stream. [11] 

"We humans don't make HTTP requests, our machines to 
do it for us." 

This makes clear what is really being tested here - 
whether or not you have the right software stack in between 
you and Cloudflare. 



This is not hypothetical: Cloudflare is currently 
attempting to dictate which browsers users of their 
"protected' websites may use. [60] 



The Data Collection 


Your right to use Free Software in this stack is at risk and 
could disappear at any moment. 

It also is extracting free labor from website users[35], in 
effect tricking humans into acting like robots in order to pass 
a test designed to see whether or not they are a robot. 

Worse, this labor is being used to train[62] Google's 
artificial intelligence, a very poor candidate for "friendly At'. 
[36] 

Given unfriendly Al is an existential[43] risk[42] to 
mankind, avoiding this should be among the highest of 
priorities. 

This software stack includes human language: the 
CAPTCHAs are in English, leaving non-English speakers 
around the world at a disadvantage[13]. Attempts to fix this 
are bound by the fact that they also leak user's language 
information to Cloudflare[21]. 

Furthermore, they use Google's reCaptcha for their turing 
test - "proof you are a hunnan" challenge - and Google is 
known as a part of US National Security Agency's PRISM 
surveillance project so they expose their website visitor's 
data to PRISM data collection. 

On its own, this is terrible bad but it's also worth pointing 
out how the reCAPTCHAs work. It isn't by whether or not 
you click on the correct icon (though that is a factor too) but 
also collect: 


• Mouse movement, its slightness and straightness 

• Page scrolls 



• Time intervals between browser events 

• Keystrokes 

• Click location history tied to user fingerprint 

• Device information 

• All these criteria are stored in the browser's cookie and 
are processed by Google's servers 

• It should be emphasized that there is DARPA(US Defense 
Advanced Research Projects Agency) technology to 
identify people by mouse movements and typing [23] 


This collection of data is likely illegal in regions where 
privacy is taken seriously, like the EU. [24] 

It is frustrating even when it works because you have to 
fill out 20 captchas on the off-chance that you succeed one 
time in twenty. So this is 95% censorship and 5% wasting 
users' time[5]. On average, the user who use Tor, VPN, or 
shared proxy waste 15 to 20 minutes of their life just to 
complete the captcha. 

More important, though, is that it starts to form a ratchet 
for web browser technology; the captchas are upgraded all 
the time and if you use an older browser, you risk being left 
behind even when it works. 



How Cloudflare Threatens You 


When you fetch a page from a website that is served from 
Cloudflare, JavaScript has been injected on-the-fly into that 
page by Cloudflare. And they also plant a cookie that brands 
your browser with a globally-unique ID called "RAY-ID”. This 
happens even if the website is using SSL and shows a cute 
little padlock in your browser. [10] 

Cloudflare tracks you. 

Even if your traffic is protected from onlookers, Cloudflare 
itself can see your traffic[6] because they are a Man-in-the- 
Middle service(MITM). [14][31] 

In addition, if Cloudflare[53] has intercepted your 
traffic(MITM), so has the NSA[33]. 

"If a site uses Cloudflare, then the browser lock icon is a 
false promise." [14] 

" The short version, a rhetorical question: Would you trust 
a key escrow regime, in which an "authorized" entity was 

entrusted with the potential to decrypt all 
communications at will? If not, why would you trust a de 
facto mass decryption chokepoint at which many 
communications are actually decrypted7'{3^] 

In other words, they are in a position to track, tap, 
and link Internet activity across a wide range of 
sites. [14] 

Cloudflare frustrates accessibility efforts: [25][27][36] 

"CAPTCHA remains the most problematic item indicated 
by respondents" 



Cloudflare is one of the largest, if not the largest source of 
unconsensual CAPTCHAS, making them quite possibly the 
biggest impediment in accessibility efforts worldwide. 

Cloudflare makes using Tor frustrating by making efforts 
to become anonymous more difficult and making it more 
likely that people will use non-Tor connections for some or all 
of their web browsing. The problem is getting worse with 
time. [13] 

It's not just Tor[19] but Tor users are the biggest group of 
people who've noticed it and are organizing against it so far. 

In particular, the model of "Project Honeypot' depends on 
one IP address, meaning one person. As IP addresses 
become scarce, more and more ISPs (and whole 
countries[22]) are forced to use higher and higher levels of 
NAT. The result is that the kinds of treatment of Tor users by 
Cloudflare starts to be not just for Tor, but for all web users. 

"Tor is Just being siightiy ahead of what the IPv4 Internet 
is going to look like pretty soon." 

The next time a large group wakes up, millions of 
websites might be down (including critical ones) across a 
whole continent. This has actually happened already. [49] 

"It was made clear in the Snowden leaks that GCHQ, the 
N5A, etc. would like people to stop using Tor so I am sure 
they are very happy to see CF make general web browsing 
difficult and frustrating for ordinary users." [12] 

Worse, Cloudflare makes using Tor dangerous because 
enabling JavaScript and images to deal with their system 
makes it likely that some people will enable JavaScript and 



images on other websites, which, even if Cloudflare wasn't 
threatening them, would. [9] 

Cloudflare is capable of tracking users of its websites, 
and initial looks into its JavaScript/CAPTCHA seems to bear 
out that they are doing so. 

Cloudflare can target individual users with JavaScript 
malware; since you typically wind up enabling their 
JavaScript to use websites, you fall into their trap. Because 
they track users, are giving, individualised code, and work 
directly with the US government/DHS, there's no reason why 
they can't tailor attacks to specific users. 

Even if they aren't doing it yet, they are at any point one 
US government administration, one vulture capital funding 
purchase[26], or one internally rogue element away from 
executing JavaScript code on hundreds of millions of 
people's computers a "highly attractive" target[7] with no 
oversight. The code CAPTCHA itself protects attempts to 
detect such things from happening. 

The way that Cloudflare is constructed means that even 
by accident, billions of people can be analyzed by their 
government[51] and have their access limited or completely 
cut off at the government's whim. 



How Cloudflare threatens the Web 


Cloudflare is a Man-in-the-middle for the whole 
web. 

As of 3 years ago 10% of the top 25,000 websites used 
Cloudflare. [2] 

A billion people in china are restricted by the Great 
Firewall[8]. Anyone who goes so far as to circumvent that 
must then deal with the "Great Cloudwall" for accessing the 
open internet. 

This is not just an individual problem, but undamentally 
threatens the ecosystem of the web. 

Cloudflare is breaking the open internet one site at a 
time. The web is massively resilient - we can do without 
Stack Overflow, GNU.org or even Google but when a 
significant enough portion of websites use a single provider, 
there starts to be a systematic risk that if that single 
provider goes down, all of the websites behind it will be 
inaccessible. 

Worse, you won't be allowed to access it unless you have 
the right kind of US government approved credential, 
contingent, perhaps, on running software only they approve 
of. 


It is becoming a single point of failure for the 
internet. [39] 

Right now, there are alternative sources for, for example, 
the US constitution[17]. It is not unthinkable that Cloudflare 
is getting big enough to threaten even that. 

"Sometimes there are necessary websites for some 
degree of necessary. Government websites, pubiic service, 



etc. How long until those are behind the Great Cloudwall?" 

"Not long. Our service is competitive and convenient, if 
public service websites choose to use our service for 
awesome DDoS protection, it's their choice." [36] 

Cloudflare has already started down the slippery 
slope[52] of censoring websites. If they didn't have a 
stranglehold on people accessing the internet, it would not 
be a problem. They are big enough that censorship from 
Cloudflare is starting to be a systematic exclusion from the 
political process. 

"Cloudflare is perfect: it can implement censorship on the 
fly without anyone getting wise to it!" [40] 

DNS Service[39]: Given that they have become so 
systematically powerful, the next step to cementing their 
power is to attack DNS traffic. Their “1.1.1.1” Public DNS 
server, like Google's “8.8.8.8”, is marketed to people so that 
Cloudflare will still be able to see you're going to them even 
if you don't interact with websites "protected" by them. It 
gives them even more data to track you with. 



Where does Cloudflare come from? 


Cloudflare comes from a project called "Project Honey 
Pot'l^l], originally intended to track online fraud and abuse. 

" What was Project Honey Pot?" 

'A service that positions itself as some kind of a grassroot- 
y anti-spam registry, but in reality seems to be a pro¬ 
corporate law enforcement tool with the specific aim of 
entrapping and prosecuting spammers/phishing scammers 
in a way that's friendly to the marketing industry.'" 

The US Department of Homeland Security approached 
the developers in 2007-8[l][36] for access to their data and 
they have been working with the US government[54] and 
law enforcement ever since[l]. 



On HTTP GET requests 


Cloudflare has a history of shutting down open DNS and 
open NTP servers. 

"It would be great if they allowed GET requests - for 
example - such requests should not and generally do not 
modify server side content. 

They do not do this - this breaks the web in so many 
ways, it is incredible. 

Using wget with Tor on a website hosted by Cloudflare 
is... a disaster. 

Using Tor Browser with it - much the same. 

These requests should be idempotent according to spec, 
/ believe." 

Cloudflare has a history of closing tickets that are critical 
of it without actually resolving the issue. [29][30][32] 

"Cloudflare is based in a country with secret courts, 
secret police, and secret prisons that are above the law - 
and this secret government has characterized Cloudfiare's 
data as extremely valuable" [28] 

"The CEO says, "Cloudfiare's strength lies in the 
DATA it collects — not in its CODE.'" [28] 

"The U.5. federal government is a Cloudflare customer." 
[28] 


"Cloudflare has never stated that a government agency 
did not install wiretapping equipment or software on the 
same premises as a Cloudflare server ." [28] 



"CloudfJare has never indicated that the architecture of 
its content distribution network is resistant to warrantiess 
mass surveiiiance.'' [28] 

"Cloudflare has given the Chinese government 
unprecedented censorship capabiiity. ' [28] 

"Cioudfiare has no intention to shut down as Lavabit did 
in order to protect the user from uniawfui surveiiiance." [28] 

"Some Cioudfiare customers are paying over 1 miiiion 
dollars per year for an undisciosed service." [28] 

"But Cioudfiare is reaiiy necessary, the world wide web is 
a nasty place" 

The more of the web is held within Cioudfiare, the more 
pressure will be on websites not behind Cioudfiare. 

As of 2016, by Cloudflare's own data. Tor was not as bad 
as normal internet connections. 

People: "But we need Cioudfiare to protect us from 
DDoS." 

Cioudfiare: "That's a nice site you have there. It would be 
a shame, such a shame, if anything happened to it. Why 
don't you let us decrypt all your TL5 sessions[59] so we can 
protect you?"[1 A] 

"I heard Cioudfiare is working with Tor and all is good 
now?" 

Just because you can't see the problem doesn't mean it's 
not there. 

This is not true. Their websites still CAPTCHA their users, 
same as ever, and news agencies across the political 
spectrum screwed up stories about how the 'problem is 
fixed'. [18] 



It's actually worse, though[17], if we couldn't see it[60] - 
it was easy to get a lot of riled up Tor users to understand 
that Cloudflare was their adversary. It's a lot harder to 
convince people who are not blocked from their websites, 
today, why giving systematic control over the world wide 
web might be a bad thing tomorrow. 

"Right now, Cloudflare says it monitors nearly 1/5 of all 
Internet visits. An astounding claim for a company most 
people haven't even heard of' [40] 

But they are now doing more to track users and threaten 
the anonymity of Tor users. 

Cloudflare is one of a couple of large network providers 
that are capturing the vast majority of digital 
communications, effectively creating private networks the 
size of the modern internet that are competitive with and 
not subject to the same kinds of scrutiny and regulation as 
the internet. [58] 

"What If we shut down Cloudflare and migrate all 
websites out of them?" 

We're probably going to have the same problem with 
another company very soon. Just as when suddenly Microsoft 
no longer had a monopoly on software, we didn't get rid of 
the problem of proprietary software, there's a couple of 
problems that, if wedon't solve them, something like 
Cloudflare is roughly inevitable as a consequence: 

Cloudflare DNS 

DNS[50] is around, servers are insecure, proper end-to- 
end crypto isn't the norm hence MITM goes unnoticed. 



anonymity is an edge case, routing lacks built-in resiliency 
to disruption, we're always going to have actors building a 
business model around cobbling together superficial, 
overapproximating mitigations. [20] 

Mozilla and Cloudflare 

At least for browsing with Firefox, because Mozilla has 
partnered up with Cloudflare and will resolve the domain 
names 

from the application itself via a DNS server from 
Cloudflare based in the United States. Cloudflare will then 
be able to 

read everyone's DNS requests. 

Sharing DNS requests with Cloudflare represents mozilla 
having a security hole, straight to the Cloudflare (and 
probably: the NSA). 



What can you do? 


Learn more about Cloudflare and make sure the people 
around you know about Cloudflare. 

Use Tor by default to be more exposed to the blocks. 

Go to the anti-Cloudflare collaboration repository[41] and 
make sure websites you use aren't "protected', and if they 
are, contact the people who run the website equesting that 
they no longer use Cloudflare. 


You can give up, or you can resist. 
The choice is yours. 
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